Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

CVE-2024-50029

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
21/10/2024
Last modified:
25/10/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> Bluetooth: hci_conn: Fix UAF in hci_enhanced_setup_sync<br /> <br /> This checks if the ACL connection remains valid as it could be destroyed<br /> while hci_enhanced_setup_sync is pending on cmd_sync leading to the<br /> following trace:<br /> <br /> BUG: KASAN: slab-use-after-free in hci_enhanced_setup_sync+0x91b/0xa60<br /> Read of size 1 at addr ffff888002328ffd by task kworker/u5:2/37<br /> <br /> CPU: 0 UID: 0 PID: 37 Comm: kworker/u5:2 Not tainted 6.11.0-rc6-01300-g810be445d8d6 #7099<br /> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014<br /> Workqueue: hci0 hci_cmd_sync_work<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x5d/0x80<br /> ? hci_enhanced_setup_sync+0x91b/0xa60<br /> print_report+0x152/0x4c0<br /> ? hci_enhanced_setup_sync+0x91b/0xa60<br /> ? __virt_addr_valid+0x1fa/0x420<br /> ? hci_enhanced_setup_sync+0x91b/0xa60<br /> kasan_report+0xda/0x1b0<br /> ? hci_enhanced_setup_sync+0x91b/0xa60<br /> hci_enhanced_setup_sync+0x91b/0xa60<br /> ? __pfx_hci_enhanced_setup_sync+0x10/0x10<br /> ? __pfx___mutex_lock+0x10/0x10<br /> hci_cmd_sync_work+0x1c2/0x330<br /> process_one_work+0x7d9/0x1360<br /> ? __pfx_lock_acquire+0x10/0x10<br /> ? __pfx_process_one_work+0x10/0x10<br /> ? assign_work+0x167/0x240<br /> worker_thread+0x5b7/0xf60<br /> ? __kthread_parkme+0xac/0x1c0<br /> ? __pfx_worker_thread+0x10/0x10<br /> ? __pfx_worker_thread+0x10/0x10<br /> kthread+0x293/0x360<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x2f/0x70<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> <br /> Allocated by task 34:<br /> kasan_save_stack+0x30/0x50<br /> kasan_save_track+0x14/0x30<br /> __kasan_kmalloc+0x8f/0xa0<br /> __hci_conn_add+0x187/0x17d0<br /> hci_connect_sco+0x2e1/0xb90<br /> sco_sock_connect+0x2a2/0xb80<br /> __sys_connect+0x227/0x2a0<br /> __x64_sys_connect+0x6d/0xb0<br /> do_syscall_64+0x71/0x140<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e<br /> <br /> Freed by task 37:<br /> kasan_save_stack+0x30/0x50<br /> kasan_save_track+0x14/0x30<br /> kasan_save_free_info+0x3b/0x60<br /> __kasan_slab_free+0x101/0x160<br /> kfree+0xd0/0x250<br /> device_release+0x9a/0x210<br /> kobject_put+0x151/0x280<br /> hci_conn_del+0x448/0xbf0<br /> hci_abort_conn_sync+0x46f/0x980<br /> hci_cmd_sync_work+0x1c2/0x330<br /> process_one_work+0x7d9/0x1360<br /> worker_thread+0x5b7/0xf60<br /> kthread+0x293/0x360<br /> ret_from_fork+0x2f/0x70<br /> ret_from_fork_asm+0x1a/0x30

Impact

Vector 3.x
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS v3.1 Severity and Metrics:

Base Score: 7.80 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): High
Availability (A): High

Base Score 3.x
7.80
Severity 3.x
HIGH

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.1 (including) 6.6.57 (excluding)
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.7 (including) 6.11.4 (excluding)
cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*

To consult the complete list of CPE names with products and versions, see this page


References to Advisories, Solutions, and Tools